Welcome!

Microservices Expo Authors: Liz McMillan, Zakia Bouachraoui, Elizabeth White, Pat Romanski, Yeshim Deniz

Related Topics: Microservices Expo

Microservices Expo: Article

Secure Web Services

Secure Web Services

Businesses need to provide their users with a method for securely connecting to their networks while minimizing the costs associated with providing this service - and also providing end users with as much convenience as possible.

As businesses embrace Web services as the method for delivering their applications, they are struggling with security issues. Network World recently reported that the top worry for IT executives deploying Web services is security. SSL (Secure Sockets Layer) can provide a viable alternative to Virtual Private Networking (VPN) companies for securing Web services.

Remote Access
Originally, remote end users connected to their corporate networks using dial-up modem services over POTS (plain old telephone service). This essentially provided businesses with a private connection to an end user, albeit temporary in nature. The primary security concern was one of authentication of the end user - guaranteeing that the business was letting the right people access the network through its modem pool.

As the Internet became ubiquitous, businesses longed for a way to eliminate the long-distance charges generated by their dial-up remote access services. End users were dialing into their ISPs locally to access the Internet with no long distance charges - why not just let them access the corporate network via the Internet? The simple answer was security. VPN companies came to the rescue.

VPNs
VPNs typically put specialized software on the client machines as well as a machine acting as the gateway to the corporate network. These pieces collaborate to encrypt traffic between the end points, guarantee the identity of the remote users accessing the corporate network, and guarantee that end users connect to the right place. Businesses can enjoy the savings of eliminating long-distance charges while maintaining the security of a private connection.

There is, however, a downside. The specialized software that has to go on the client machine costs both time and money. The client software itself must be purchased and installed on every client machine that will be enabled to access the corporate network. Anyone who's been involved in these rollouts knows that words like "incompatible," "conflicting programs," and "pilot error" make the cost of deploying this crucial service much higher than simply the price of the software at the end points - especially when dealing with thousands of remote users.

SSL
The Internet, of course, was (and is) growing by leaps and bounds. But consumers at large were wary of sending their credit card information over the Internet and being defrauded. SSL was popularized as a method to eliminate this concern. As long as the little lock or key icon popped up in the end user's browser, he or she felt more at ease and willing to conduct transactions over the Internet.

Originally, SSL delivered two basic functions:

  • It allowed the browser to be certain that the site being connected to was genuinely the one requested (by using a form of authentication).
  • It secured the data that was in transit between a browser and a Web server by using encryption.
SSL allows end users to guarantee the identity of the server to which they're connecting. Certificate authority (CA) companies such as VeriSign sell certificates that are installed on the SSL server. The CA acts as an objective third party that forces the business requesting the certificate to prove its identity prior to being granted a certificate. End users or browsers can verify that the SSL server to which they're connecting has a valid certificate issued by a CA and actually belongs to the business to which they're attempting to connect using SSL. Finally, certificates are the mechanism used to associate a unique key used for encryption with a particular SSL server.

The browser and server exchange keys in order to be able to negotiate an encrypted session. SSL then encrypts data while it's flowing between the end user and the SSL server to secure the traffic while it's in transit.

These functions have been crucial to the success of online business. Without them, end users wouldn't have the peace of mind needed to share information required for completing business transactions over the Internet.

So Why Not Just Use SSL Instead of VPNs?
Every system that's used to connect to the Internet has the client software installed, by default, as SSL into every browser. End users are familiar with it. SSL is a widely adopted standard. There's no cost for the client software. There are no integration issues on either the client or corporate network side. So what's missing?

The majority of the SSL benefits discussed have been end user-centric. In order for SSL to be successfully used as a viable alternative to VPNs, another element is necessary - essentially, a method to control which clients are allowed access to the corporate network. The SSL-based solution must be able to guarantee the identity of the end user attempting to access the corporate network and decide whether he or she is allowed access. This can be accomplished using client certificates. The company can simply act as its own CA and have end users download certificates. This allows coverage of the basic security tenets: "who you are" (typically a user ID), "what you have" (in this case a valid company-issued SSL certificate), and "what you know" (a password).

This method allows the company to guarantee that only end users with valid certificates are able to access the network. The authentication must occur at a gateway point prior to the remote user's actually gaining access to the network. The key is having a gateway solution that allows a business to enforce these policies easily. With that in place, we have the security issues addressed - encrypted traffic between the end points, guaranteed identity of the remote users accessing the corporate network, and a guarantee that end users are connecting to the right place - all without the cost or administration problems associated with VPN solutions.

Coexistence
While the SSL solution works perfectly to secure Web services or Web-enabled applications and address the concerns expressed by IT executives, VPN technologies provide a few things that SSL can't - dictating that the technologies coexist. VPNs provide a solution for applications that aren't Web enabled, such as client/server-based applications, print services, and general file sharing. While SSL can certainly address downloading files through a browser, there isn't a solid solution for the other two applications at this time.

Businesses now have the opportunity to supply an SSL-based solution to the 80% of their user population that likely uses only 20% of the applications available (VPN services will continue to be required for the other 20% of the population). This shift will result in tremendous savings for businesses in terms of both time and money through:

  • Elimination of costs associated with specialized client software
  • Reduced help desk calls
  • Lowered demands on IT
  • Increased ease of use for remote users
Conclusion
Not exactly "adios VPNs, hello SSL." But as businesses embrace Web services through such efforts as Microsoft's .NET strategy (and J2EE-based platforms for Web services) and the Web enabling of most major business applications available now or within the near future, IT executives will be able to say "adios" to VPNs for a greater percentage of their end users and enjoy the bottom-line benefits as a result.

Reference

  • Fontana, John. (2002). "Top Web services worry: Security." www.nwfusion.com/news/2002/0121webservices.html?docid=7747
  • More Stories By Jeff Browning

    As Product Manager for F5 Networks, Jeff is responsible for driving the product and marketing strategy for F5's iControl API and Software Development Kit. With over 10 years of software industry experience, Jeff's extensive background in Web services, Enterprise Portals, and Software Development tools at leading companies like Microsoft and DataChannel helps bridge the gap between networking technologies and Web services applications for better performing, scalable, and secure enterprise solutions

    Comments (0)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


    Microservices Articles
    The now mainstream platform changes stemming from the first Internet boom brought many changes but didn’t really change the basic relationship between servers and the applications running on them. In fact, that was sort of the point. In his session at 18th Cloud Expo, Gordon Haff, senior cloud strategy marketing and evangelism manager at Red Hat, will discuss how today’s workloads require a new model and a new platform for development and execution. The platform must handle a wide range of rec...
    When building large, cloud-based applications that operate at a high scale, it’s important to maintain a high availability and resilience to failures. In order to do that, you must be tolerant of failures, even in light of failures in other areas of your application. “Fly two mistakes high” is an old adage in the radio control airplane hobby. It means, fly high enough so that if you make a mistake, you can continue flying with room to still make mistakes. In his session at 18th Cloud Expo, Lee A...
    In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
    Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine where she evaluated and tested application-focused technologies including app secu...
    Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure ...
    Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
    Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addresse...
    SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
    Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
    In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...